diff --git a/accounts.js b/accounts.js
index 5c2067d..6e44edf 100644
--- a/accounts.js
+++ b/accounts.js
@@ -1,12 +1,9 @@
 'use strict';
 
-var crypto = require('crypo');
+var crypto = require('crypto');
 var PromiseA = require('bluebird');
 var OpErr = PromiseA.OperationalError;
-
-function makeB64UrlSafe(b64) {
-  return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, '');
-}
+var makeB64UrlSafe = require('./common').makeB64UrlSafe;
 
 function retrieveOtp(codeStore, codeId) {
   return codeStore.get(codeId).then(function (code) {
@@ -203,13 +200,13 @@ function create(app) {
       }
 
       if (req.body.grant_type === 'password') {
-        restful.createToken.password(req);
+        return restful.createToken.password(req);
       }
       if (req.body.grant_type === 'issuer_token') {
-        restful.createToken.issuerToken(req);
+        return restful.createToken.issuerToken(req);
       }
       if (req.body.grant_type === 'refresh_token') {
-        restful.createToken.refreshToken(req);
+        return restful.createToken.refreshToken(req);
       }
 
       throw new OpErr("unknown or un-implemented grant_type '"+req.body.grant_type+"'");
@@ -273,7 +270,7 @@ function create(app) {
         if (req.body.hasOwnProperty('exp')) {
           accessOpts.expiresIn = timespan(req.body.exp, token_info.exp);
         } else {
-          accessOpts.expiresIn = timespan('1d', token_info.exp);
+          accessOpts.expiresIn = timespan('1h', token_info.exp);
         }
         var refreshOpts = {};
         refreshOpts.expiresIn = timespan(req.body.refresh_exp, token_info.exp);
@@ -350,6 +347,10 @@ function create(app) {
       });
     });
   };
+
+  return {
+    restful: restful,
+  };
 }
 
 module.exports.create = create;
diff --git a/common.js b/common.js
index 594b66b..8769ca2 100644
--- a/common.js
+++ b/common.js
@@ -3,6 +3,10 @@
 var PromiseA = require('bluebird');
 var OpErr = PromiseA.OperationalError;
 
+function makeB64UrlSafe(b64) {
+  return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, '');
+}
+
 function checkIsserToken(req, expectedSub) {
   if (!req.oauth3 || !req.oauth3.verifyAsync) {
     return PromiseA.reject(new OpErr("request requires a token for authorization"));
@@ -37,3 +41,4 @@ function checkIsserToken(req, expectedSub) {
 }
 
 module.exports.checkIsserToken = checkIsserToken;
+module.exports.makeB64UrlSafe = makeB64UrlSafe;
diff --git a/grants.js b/grants.js
index b83b36e..7ce1413 100644
--- a/grants.js
+++ b/grants.js
@@ -15,7 +15,7 @@ function trim(grant) {
 }
 
 function create(app) {
-  var restful;
+  var restful = {};
 
   restful.getOne = function (req, res) {
     var promise = req.Store.get(req.params.sub+'/'+req.params.azp).then(function (grant) {
diff --git a/jwks.js b/jwks.js
index 15cd308..cd69d34 100644
--- a/jwks.js
+++ b/jwks.js
@@ -3,10 +3,7 @@
 var crypto = require('crypto');
 var PromiseA = require('bluebird');
 var OpErr = PromiseA.OperationalError;
-
-function makeB64UrlSafe(b64) {
-  return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=*$/, '');
-}
+var makeB64UrlSafe = require('./common').makeB64UrlSafe;
 
 function thumbprint(jwk) {
   // To produce a thumbprint we need to create a JSON string with only the required keys for
diff --git a/rest.js b/rest.js
index 0bbc207..cad511e 100644
--- a/rest.js
+++ b/rest.js
@@ -3,7 +3,7 @@
 module.exports.create = function (bigconf, deps, app) {
   var Jwks = require('./jwks').create(app);
   var Grants = require('./grants').create(app);
-  var Accounts = { restful: {} };
+  var Accounts = require('./accounts').create(app);
 
   // This tablename is based on the tablename found in the objects in model.js.
   // Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.